When CIOs worry about the Bring Your Own Device (BYOD) trend, one of the things that most concerns them is their lack of control over mobile apps. Rogue apps packing malware are a major concern, but many malware-free apps pose risks too.
Even in curated marketplaces, mobile apps can be ridiculously intrusive. Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users' address books.
At the time, many security experts warned that this was the tip of the iceberg, and a recent study by Appthority, a provider of mobile security solutions, found that free apps are particularly risky because it was discovered they have the ability to access sensitive info.
That's bad enough, but what if the app uploads a sales representatives' contact list and the developer then sells it to a competitor? That's a new type of data leakage that most organisations aren't ready for.
We won't let workers anywhere near the AppStore
Despite the risks, Illinois-based Riverside Medical Center believed they had no choice when it came to BYOD. Trying to simply prohibit end-user devices would be counterproductive. "For a hospital like ours, BYOD is a marketing issue as much as it is a security one," said Erik J. Devine, Riverside MC's CISO. "If doctors can't use their tablets or smartphones at this hospital, they'll start checking their patients into other ones."
In order to take part in the BYOD program, end users must agree that Riverside MC has the right to remotely wipe the device if any problems arise. That could mean wiping a user's photos or personal emails, but that's the risk users must take if the enterprise is going to cope with BYOD risks.
For corporate-owned devices, of course, risks are easier to manage. "If we decide to purchase an iPad for someone, when it's a pure work tool, you can't even get to the AppStore," Devine said. Good luck telling that to someone shelling out $150/month on an expensive data plan.
For regulated industries like healthcare, though, banning application markets is common. Startup Happtique sees this as an opportunity and provides a mobile application store specifically for healthcare professionals. "A major challenge for clinicians and their IT departments is knowing what apps you can trust and which ones you can't," said Ben Chodor, CEO of Happtique.
Happtique was created after the Greater New York Hospital Association (GNYHA) started looking at mHealth. "We saw few, if any entities in the [mobile application] market with healthcare experience -- a company that truly understands the challenges faced by hospital providers, from HIPAA to health reform to emergency preparedness," Chodor said.
Once GNYHA saw this void, it decided to start its own mobile health solution, which later became Happtique. The startup is in the process of building a solution that helps hospitals and doctors find validated apps and create their own custom catalogs. It uses Appthority's application risk management solution to mitigate mobile app risks, and once it launches it will certify apps, evaluating them to make sure they do what they promise to do.
For the time being, though, most enterprises that want controlled app portals have to build their own, as did Riverside MC. Clamping down on apps is just part of the equation, though. In addition, the hospital uses a combination of McAfee's Enterprise Mobility Management (EMM) software and Fortinet's application firewall to minimize mobile risks. EMM gives Riverside the ability to detect jail-broken devices, enforce policies like two-factor authentication and remotely wipe devices if they are lost or stolen, and since risks evolve over time, Riverside also relies on Fortinet's behavioral analysis capabilities to see what exactly users are doing with their devices.
For instance, if an enterprise learns that a majority of users are playing mobile game during down time, they might want to educate users on those risks, since in-game malware is common, and mobile games are often the worst offenders when it comes to accessing users' personal information.
Mobile apps get a failing privacy grade
Last year, researchers at viaForensics studied 100 different iOS and Android apps and found that only 17 of them did a good job of protecting user information.
viaForensics tested four different types of apps, financial, social networking, productivity, and retail. Researchers gave each app a grade - pass, warn, or fail - based on how well the app protected data. If viaForensics researchers were able to access the data stored in the app - some of which could be identifying personal information - the app failed.
Apps passed the test if researchers couldn't find the data or found that the stored data was encrypted. Those apps in the middle, ones where researchers found data but felt that the data collected didn't pose much of a risk, these apps were giving a "warn" rating.
As you would probably guess, social networking apps were the worst offenders. viaForensics tested 19 social networking apps, and 14 of the them failed. The remaining ones all received "warn" ratings.
The failing apps didn't just fail to encrypt data, often storing it in clear text, but many apps also stored passwords in plain text and stored and potentially exposed other sensitive data that could easily be used for identity theft.
The only apps that did reasonably well were the financial ones - where security is obviously at a premium. Only 8 out of 32 financial apps failed.
Appthority found that the passage of a year did little to bolster the security of mobile apps. Appthority recently studied the top 50 free apps on iOS and Android and found that 96 percent of iOS apps and 84 percent of Android apps have the ability to access sensitive information, such as contact information, calendar details or physical location, from the device.
Gaming apps were the worst offenders, but many apps dubbed "business" apps also accessed things like address books, and the majority of them connected to some an ad network and served up behavioral analytics to that network.
Is it any wonder that entire industries are developing their own app storefronts?
Risks arise as work lives and home lives blend
The blending of work life with home life presents its own set of risks. "From a technology perspective, it's difficult to separate employees' personal lives from their professional lives, and vice versa. The traditional 9 am to 5 pm work day is disappearing and more and more people are working whenever and wherever they want. This means that they might be answering work emails at 10:30 at night," said Dave Snow, CMO for Xigo, a provider of EMM software solutions.
This also means that a lot of important work info will be taken home and transferred to a different device. If a user backs up a phone (with contact lists, emails and other sensitive data) to a home PC, malware on the PC could expose the organization. It could even provide a backdoor into the organisation if identity credentials are compromised. If a hacker on the other end of a keylogger finds out you work for a Fortune 500 company and that you favor the password "Wolfgang2012," you'd better believe that the next thing he'll try to do is access your corporate network.
And consider how users store data now. How many of us store contacts in Outlook or other enterprise systems? Typically, contacts show up on our phones first, and sometimes that's where they stay. "Consider what happened when Facebook tried to encourage the use of @facebook.com addresses and inadvertently overwrote contact lists on smartphones," said Richard Wang, manager of Sophos Labs US. "In such a case, an inconvenience to the user can become an inconvenience to the business as communications go astray and may pass through unexpected channels."
A term often thrown into the BYOD discussion is "consumerisation." Enterprise technologies are being adopted first by consumers, and they're then forcing the enterprise's hand. For CIOs to get ahead of mobile risks, they're going to have to push hard for the "enterprisisation" of consumer technologies.
This might take some novel thinking. For instance, perhaps enterprises should start thinking about subsidizing employees' home antivirus suites, rather than devices - because attacks that target employees may well end up targeting the employer as well, even if the employer wasn't the original target. And if sensitive personal information that could be used for identity theft isn't hacked from a poorly secured app, it's still out there. All it takes is a little digging, and a little probing to find the weak link in the user's social/professional world.